Predefined roles and permissions

This page provides information on BigQuery's Cloud Identity and Access Management roles and permissions.

This page includes roles and permissions relevant to each of BigQuery's companion products:

BigQuery ML
BigQuery Data Transfer Service
BigQuery BI Engine

For additional information on access controls in BigQuery ML, see Access control in the BigQuery ML documentation.

Overview

When an identity calls a Google Cloud Platform API, Google BigQuery requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.

This page describes the BigQuery Cloud IAM roles that you can grant to identities to access BigQuery resources.

Cloud IAM role types

There are three types of roles in Cloud Identity and Access Management:

Primitive roles include the Owner, Editor, and Viewer roles that existed prior to the introduction of Cloud Identity and Access Management.
Predefined roles provide granular access for a specific service and are managed by GCP. Predefined roles are meant to support common use cases and access control patterns.
Custom roles provide granular access according to a user-specified list of permissions.

To determine if one or more permissions are included in a primitive, predefined, or custom role, you can use one of the following methods:

The gcloud iam roles describe command
The roles.get() method in the Cloud IAM API

When you assign both predefined and primitive roles to a user, the permissions granted are a union of each role's permissions.

For additional information on using IAM to access resources, see Granting, changing, and revoking access to resources in the Cloud Identity and Access Management documentation.

For information on creating custom roles, see Creating and managing custom roles in the Cloud Identity and Access Management documentation.

BigQuery permissions and predefined Cloud IAM roles

To grant access to a BigQuery resource, assign one or more roles to a user, group, or service account. When you assign roles at the organization and project level, you provide permission to run BigQuery jobs or to manage all of a project's BigQuery resources.

You can also assign roles at the dataset level to provide access only to one or more datasets. In the IAM policy hierarchy, BigQuery datasets are child resources of projects. Tables and views are child resources of datasets — they inherit permissions from their parent dataset.

For more information on assigning roles at the dataset level, see Controlling access to datasets.

BigQuery permissions

The following table describes the permissions available in BigQuery.

Permission	Description
`bigquery.jobs.create`	Create new jobs.
`bigquery.jobs.listAll`	List all jobs and retrieve metadata on any job submitted by any user.*
`bigquery.jobs.list`	List all jobs and retrieve metadata on any job submitted by any user.* For jobs submitted by other users, details and metadata are redacted.
`bigquery.jobs.get`	Get data and metadata on any job.*
`bigquery.jobs.update`	Cancel any job.*
`bigquery.datasets.create`	Create new empty datasets.
`bigquery.datasets.delete`	Delete a dataset.
`bigquery.datasets.get`	Get metadata about a dataset.
`bigquery.datasets.update`	Update metadata for a dataset.
`bigquery.tables.create`	Create new tables.
`bigquery.tables.list`	List tables and metadata on tables.
`bigquery.tables.delete`	Delete tables.
`bigquery.tables.get`	Get table metadata. To get table data, you need `bigquery.tables.getData`.
`bigquery.tables.getData`	Get table data. To get table metadata, you need `bigquery.tables.get`.
`bigquery.tables.export`	Export table data out of BigQuery.
`bigquery.tables.update`	Update table metadata. To update table data, you need `bigquery.tables.updateData`.
`bigquery.tables.updateData`	Update table data. To update table metadata, you need `bigquery.tables.update`.
`bigquery.routines.create` (beta)	Create new routines (functions and stored procedures).
`bigquery.routines.list` (beta)	List routines and metadata on routines.
`bigquery.routines.delete` (beta)	Delete routines.
`bigquery.routines.get` (beta)	Get routine definitions and metadata.
`bigquery.routines.update` (beta)	Update routine definitions and metadata.
`bigquery.transfers.get`	Get transfer metadata.
`bigquery.transfers.update`	Create, update, and delete transfers.
`bigquery.savedqueries.create`	Create saved queries.
`bigquery.savedqueries.get`	Get metadata on saved queries.
`bigquery.savedqueries.list`	List saved queries.
`bigquery.savedqueries.update`	Update saved queries.
`bigquery.savedqueries.delete`	Delete saved queries.
`bigquery.readsessions.create` (beta)	Create a new read session via the BigQuery BigQuery Storage API.
`bigquery.connections.create` (beta)	Create new connections in a project.
`bigquery.connections.get` (beta)	Get connection metadata. Credentials are excluded.
`bigquery.connections.list` (beta)	List connections in a project.
`bigquery.connections.use` (beta)	Use a connection configuration to connect to a remote data source.
`bigquery.connections.update` (beta)	Update a connection and its credentials.
`bigquery.connections.delete` (beta)	Delete a connection.

* For any job you create, you automatically have the equivalent of the bigquery.jobs.get and bigquery.jobs.update permissions for that job.

BigQuery predefined Cloud IAM roles

The following table lists the predefined BigQuery IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

BigQuery roles

Role	Title	Description	Permissions	Lowest resource
`roles/ bigquery.admin`	BigQuery Admin	Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.	bigquery.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ bigquery.connectionAdmin`	BigQuery Connection Admin ^Beta		bigquery.connections.*
`roles/ bigquery.connectionUser`	BigQuery Connection User ^Beta		bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
`roles/ bigquery.dataEditor`	BigQuery Data Editor	When applied to a dataset, dataEditor provides permissions to: Read the dataset's metadata and to list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list	Dataset
`roles/ bigquery.dataOwner`	BigQuery Data Owner	When applied to a dataset, dataOwner provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list	Dataset
`roles/ bigquery.dataViewer`	BigQuery Data Viewer	When applied to a dataset, dataViewer provides permissions to: Read the dataset's metadata and to list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	Dataset
`roles/ bigquery.jobUser`	BigQuery Job User	Provides permissions to run jobs, including queries, within the project. The jobUser role can enumerate their own jobs and cancel their own jobs.	bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ bigquery.metadataViewer`	BigQuery Metadata Viewer	When applied at the project or organization level, metadataViewer provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ bigquery.readSessionUser`	BigQuery Read Session User ^Beta	Access to create and use read sessions	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ bigquery.user`	BigQuery User	Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the `bigquery.dataOwner` role for these new datasets.	bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list	Project

BigQuery primitive roles

For information on BigQuery primitive roles, see BigQuery primitive roles and permissions.

BigQuery custom roles

To create a custom Cloud IAM role for BigQuery, follow the steps outlined in the Cloud IAM custom roles documentation.

What's next

See the BigQuery access control examples.
For information on BigQuery primitve roles, see BigQuery primitive roles and permissions.
For more information on assigning roles at the dataset level, see Controlling access to datasets.

Was this page helpful? Let us know how we did:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated July 9, 2019.